Computer-implemented system and method for creating an environment for detecting malicious content

ABSTRACT

Techniques and mechanisms are disclosed for creating an environment for detecting malicious network traffic. A test computer network including a plurality of cloned nodes is created. The plurality of cloned nodes in the test computer network corresponds to at least some of a plurality of target nodes of a host computer network, and the test computer network has no network connectivity to the host computer network. Sensors in both the host computer network and the test computer network generate network flow records that are sent to a detection processing pipeline. The detection processing pipeline merges the records received from the sensors and uses the merged records to train at least one model used to identify instances of malicious network traffic.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims the benefit of U.S. Provisional Application Ser. No. 62/453,462, filed on Feb. 1, 2017, the entire contents of which are hereby incorporated by reference as if fully set forth herein.

FIELD

This application relates in general to analyzing network traffic, and in particular to a computer-implemented system and method for creating an environment for detecting malicious content.

BACKGROUND

Monitoring network traffic is extremely important for businesses, as well as smaller organizations and personal use to ensure network performance, availability, and security. Network traffic monitoring can include reviewing incoming and outgoing data packets for possible event occurrences that affect network functioning, such as security breaches and performance bottlenecks, which can slow the network.

Conventional methods for monitoring network traffic exist for enterprise business environments, small business environments, and personal use in some cases. Such methods often create test network traffic for the development and validation of network security detection capabilities. However, conventional network traffic monitoring techniques can introduce issues into how detection is developed and tested since modern detection is moving towards machine learning. In some cases, effective testing on a live network may rely on live production nodes, which is generally undesirable due to placing the live network at actual risk.

Therefore, there is a need for an approach to generating test network traffic for the development and validation of efficient and accurate network security detection.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings:

FIG. 1 is a block diagram showing a computer-implemented system for creating an environment for detecting malicious content, in accordance with one embodiment.

FIG. 2 is a flow diagram showing a computer-implemented method for creating an environment for detecting malicious content, in accordance with one embodiment.

DETAILED DESCRIPTION

Network traffic within an environment should be continuously monitored to ensure proper performance of the network and to detect attempts of breach. Conventional network monitoring systems exist, but typically rely on copies of network traffic with malicious traffic that are replayed for testing the identification of the malicious traffic. However, network detection is moving towards machine learning, which requires training of classifiers using realistic data to obtain the most effective and accurate detection of malicious events. Malicious traffic is then created on the test range network and then that traffic's flow records are placed into a dataflow with traffic from the live network which allows for accurate detection in a live setting.

FIG. 1 is a block diagram showing a computer-implemented system for creating an environment for detecting malicious content, in accordance with one embodiment. A host network 11 is identified for which network security detection is to be applied. The host network can be maintained by an organization, such as a business social group, or family, as well as by an individual, and can include nodes 12, which each represent a computing device, such as a server, container, desktop computer, laptop, tablet, mobile telephone, printer, or scanner, as well as other types of computing devices. Each computing device 12 in the host network 11 can be identified via a unique media access control (MAC) address and internet protocol (IP) address. One or more sensors 13 are placed within the host network environment for monitoring communication of the nodes. The communication can include internal communication between the nodes, as well as communication to and from the nodes via nodes external to the host network.

A test network environment 17 is created based on the host network for use as a test range in detecting malicious traffic within the host network. The test network environment 17 includes clones 18 of at least a portion of the nodes in the host network. A sensor 13 is also provided within the test network environment 17 to monitor communication of the nodes.

For each communication identified in the host network and the test network, a record 15 is generated. Each record can include metadata about the communication, including a MAC address and IP address of the nodes participating in the communication. Once generated, the records are sent through a detection processing pipeline 14, which includes a set of models 16 that each represent a mathematical, machine learning, or matching, or other method, to identify evidence of a communication as malicious traffic. The models rely on understanding of and learning what is normal network behavior in a given network environment so that evidence of malicious behavior can be identified. By overlaying traffic from the test network on top of the actual network traffic, the models can be tuned to effectively identify evidence of malicious behavior within the normal network traffic. Since traffic varies widely from one network to another, the ability to tune the models to find the malicious test traffic over the top of the actual real-world network traffic, versus looped or synthetic test traffic, makes the detections from the models far more accurate.

If the record matches one or more of the models, the record 19 is pulled from the detection processing pipeline 14 and provided to an end user 20 for further review. In one embodiment, upon selection of the record 19 from the detection processing pipeline 14, the record can be transmitted for further computer based processing and analysis prior to providing the record to the end user 20. For example, the selected records can further be compared with prior traffic and events.

The computing devices and servers can each include one or more modules for carrying out the embodiments disclosed herein. The modules can be implemented as a computer program or procedure written as source code in a conventional programming language and is presented for execution as instructions by the central processing unit as object or byte code. Alternatively, the modules could also be implemented in hardware, either as integrated circuitry or burned into read-only memory components, and each of the client and server can act as a specialized computer. For instance, when the modules are implemented as hardware, that particular hardware is specialized to perform the data quality assessment and other computers cannot be used. Additionally, when the modules are burned into read-only memory components, the computer storing the read-only memory becomes specialized to perform the data quality assessment that other computers cannot. The various implementations of the source code and object and byte codes can be held on a computer-readable storage medium, such as a floppy disk, hard drive, digital video disk (DVD), random access memory (RAM), read-only memory (ROM) and similar storage mediums. Other types of modules and module functions are possible, as well as other physical hardware components.

FIG. 2 is a flow diagram showing a computer-implemented method 30 for creating an environment for detecting malicious content, in accordance with one embodiment. A host network with multiple nodes is monitored (block 31). One or more target nodes in the host network are cloned and used to build (block 32) a test environment. The cloned nodes each include the MAC address and the IP address of the target node that is cloned. Additionally, the cloned nodes can each include the operating system (OS) system/patch level, ports and services available on the system, such as Domain Name Service (DNS), Lightweight Directory Access Protocol (LDAP), and web services. Thus, the network configuration of the clone network is similar or identical to the host network. However, the cloned nodes are not associated with specific data, such as the specific communication, that is associated with each of the target nodes in the host network. Further, although the test network environment is a clone of target nodes in the host network, the test range is completely isolated from the host network and has no routing or other network connectivity to the host network, in one embodiment.

Each of the cloned nodes can be generated manually, or automatically via a controller that surveys the live host network and allows selection of target nodes to be replicated in the test network by finding a duplicating critical infrastructure targets, such as DNS or LDAP, synchronizing the test environment copy of a current state of the host network, such as MAC change, IP change, and services changes. The number of cloned nodes necessary for each test network can be determined based on a type of testing or detection to be performed. For example, malware enters a network and makes a connection. Reconnaissance is performed across the network. One or more exploited nodes are identified and removed off the network. In this example, 42 nodes are required to simulate such a scenario and that is the minimum number of cloned nodes necessary for the test environment. Different types of testing require different numbers of cloned nodes. Further, changes to the host network can be reflected by the nodes during one or more updates to the cloned nodes in the test network.

Sensors are placed within the host network and the test network to identify communication to and from the nodes and the cloned nodes, respectively. A record is generated (block 33) for each identified communication or conversation, and can include metadata about that communication, such as the communication initiator and recipient nodes, a length of time of the communication, a number of data packets for the communication, a size of the communication, and MAC and IP addresses for the communicating nodes. Other types of information can also be included in the records. Additionally, traffic will occur between nodes on the test range through manual activity or scripts as if an individual was performing malicious actions. Specifically, the traffic is generated by the nodes themselves across the test network, and a record is generated (block 34) with details of the communication within the traffic. The records from the host network and the test network are introduced (block 35) to a detection processing pipeline, which includes detection models for communications that may include or be categorized as malicious traffic. In a further embodiment, all the records from the host network and the flow records from the test network are piped into the detection processing pipeline.

Specifically, the records from the host network and the test network are merged together in the detection processing pipeline to obtain merged network flow records and appear to originate from the same source based on the IP/MAC pairings associated with the traffic. The real traffic from a target node on the host network follows usual traffic patterns, while the records for malicious traffic from the test network are merged in the actual node flow records for observation by the detection models. This allows testing of network security detectors against malicious traffic in a true production network flow environment, without impacting or putting the real production network at risk.

The detection models can identify nodes based on rules, such as how often node A communicates with node B. Other examples of detection models include statistical analysis and machine learning based matching of malicious behavior patterns. If the metadata in the record satisfies the one or more of the model rules, that record is selected (block 36) and provided (block 37) to an end user for further review and possible classification as malicious. In a further embodiment, further analysis can be performed on the selected record before transmitting the records to the end user.

The ability to accurately detect malicious traffic can be useful during development of detection models, for internal quality assurance of detection models, end user testing, external validation of model behavior against varied customer traffic flows, sales demonstrations against live customer network traffic, generating labeled data for machine learning, and training for customer security operations center staff on response to malicious events. With respect to procuring sales, network traffic detection can be used to show a potential customer that the product is working by identifying malicious traffic that is generated in the test network.

While the invention has been particularly shown and described as referenced to the embodiments thereof, those skilled in the art will understand that the foregoing and other changes in form and detail may be made therein without departing from the spirit and scope of the invention. 

What is claimed is:
 1. A computer-implemented method comprising: creating a test computer network including a plurality of cloned nodes, wherein the plurality of cloned nodes corresponds to at least some of a plurality of target nodes of a host computer network, wherein the test computer network has no network connectivity to the host computer network; generating, by at least one first sensor coupled to the host computer network, first network flow records based on first network traffic involving one or more of the plurality of target nodes of the host computer network; generating, by at least one second sensor coupled to the test computer network, second network flow records based on second network traffic involving one or more of the plurality of cloned nodes, the second network traffic including malicious network traffic; and sending the first network flow records and the second network flow records to a detection processing pipeline, wherein the detection processing pipeline merges the first network flow records and the second network flow records to obtain merged network flow records, and wherein the merged network flow records are used to train at least one model used to identify instances of malicious network traffic.
 2. The computer-implemented method of claim 1, wherein creating the test computer network includes assigning at least one of the cloned nodes of the test computer network a media access control (MAC) address and an internet protocol (IP) address of a corresponding target node of the host computer network.
 3. The computer-implemented method of claim 1, wherein creating the test computer network includes configuring at least one test node of the plurality of cloned nodes with one or more of the following configurations matching a corresponding target node of the host computer network: an operating system, a patch level, available ports, and available services.
 4. The computer-implemented method of claim 1, wherein at least one of the plurality of cloned nodes is generated automatically by a controller that surveys the host computer network and selects target nodes to be cloned.
 5. The computer-implemented method of claim 1, wherein the plurality of cloned nodes is created automatically by a controller that surveys the host computer network and selects target nodes to be cloned, and wherein a number of cloned nodes to create is selected based on a type of network testing to be performed.
 6. The computer-implemented method of claim 1, wherein a network flow record of the first network flow records and the second network flow records corresponds to a communication between a first target node and a second target node, and wherein the network flow record identifies one or more of: an initiating node, a receiving node, a length of time of associated with the communication, a number of data packets associated with the communication, a size of the communication, MAC addresses associated with the first target node and the second target node, and IP addresses associated with the first target node and the second target node.
 7. The computer-implemented method of claim 1, further comprising generating the second network traffic in the test network to include the malicious network traffic.
 8. The computer-implemented method of claim 1, further comprising generating the second network traffic in the test network to include the malicious network traffic, wherein the second network traffic is generated based on one or more scripts used to simulate the performance of malicious actions.
 9. The computer-implemented method of claim 1, wherein the merged network flow records appear to originate from one or more of the plurality of target nodes of the host computer network.
 10. The computer-implemented method of claim 1, wherein the detection processing pipeline includes a plurality of machine learning models, each of the plurality of machine learning models used to identify one or more particular types of malicious network traffic.
 11. The computer-implemented method of claim 1, wherein the first network flow records are overlaid on the second network flow records to obtain the merged network flow records.
 12. The computer-implemented method of claim 1, further comprising: determining that at least one network flow record of the merged network flow records matches at least one model of the detection processing pipeline; and providing the at least one network flow record for review by a user.
 13. The computer-implemented method of claim 1, further comprising: detecting an update to a target node of the plurality of target nodes of the host computer network; and updating a corresponding test node of the plurality of cloned nodes to reflect the update to the target node.
 14. A system comprising: a first sensor implemented by a first one or more electronic devices coupled to a host computer network including a plurality of target nodes, the first sensor comprising instructions that, when executed by the first one or more electronic devices, cause the first sensor to: generate first network flow records based on first network traffic involving one or more of the plurality of target nodes of the host computer network; and send the first network flow records to a detection processing pipeline; a second sensor implemented by a second one or more electronic devices coupled to a test computer network including a plurality of cloned nodes, wherein the plurality of cloned nodes correspond to at least some of the plurality of target nodes of the host computer network, wherein the test computer network has no network connectivity to the host computer network, and wherein the second sensor comprises instructions that, when executed by the second one or more electronic devices, cause the second sensor to: generate second network flow records based on second network traffic involving one or more of the plurality of cloned nodes, the second network traffic including malicious network traffic; and send the second network flow records to the detection processing pipeline; a detection processing pipeline implemented by a third one or more electronic devices, the detection processing pipeline comprising instructions that, when executed by the third one or more electronic devices, cause the detection processing pipeline to: receive the first network flow records from the first sensor and the second network flow records from the second sensor; merge the first network flow records and the second network flow records to obtain merged network flow records; and use the merged network flow records to train at least one model used to identify instances of malicious network traffic.
 15. The system of claim 14, wherein at least one of the cloned nodes of the test computer network is assigned a media access control (MAC) address and an internet protocol (IP) address of a corresponding target node of the host computer network.
 16. The system of claim 14, wherein at least one test node of the plurality of cloned nodes is configured with one or more of the following configurations matching a corresponding target node of the host computer network: an operating system, a patch level, available ports, and available services.
 17. The system of claim 14, wherein at least one of the plurality of cloned nodes is generated automatically by a controller that surveys the host computer network and selects target nodes to be cloned.
 18. The system of claim 14, wherein the plurality of cloned nodes is created automatically by a controller that surveys the host computer network and selects target nodes to be cloned, and wherein a number of cloned nodes to create is selected based on a type of network testing to be performed.
 19. The system of claim 14, wherein a network flow record of the first network flow records and the second network flow records corresponds to a communication between a first target node and a second target node, and wherein the network flow record identifies one or more of: an initiating node, a receiving node, a length of time of associated with the communication, a number of data packets associated with the communication, a size of the communication, MAC addresses associated with the first target node and the second target node, and IP addresses associated with the first target node and the second target node.
 20. The system of claim 14, further comprising generating the second network traffic in the test network to include the malicious network traffic.
 21. The system of claim 14, further comprising generating the second network traffic in the test network to include the malicious network traffic, wherein the second network traffic is generated based on one or more scripts used to simulate the performance of malicious actions.
 22. The system of claim 14, wherein the merged network flow records appear to originate from one or more of the plurality of target nodes of the host computer network.
 23. The system of claim 14, wherein the detection processing pipeline includes a plurality of machine learning models, each of the plurality of machine learning models used to identify one or more particular types of malicious network traffic.
 24. The system of claim 14, wherein the first network flow records are overlaid on the second network flow records to obtain the merged network flow records.
 25. The system of claim 14, further comprising: determining that at least one network flow record of the merged network flow records matches at least one model of the detection processing pipeline; and providing the at least one network flow record for review by a user.
 26. The system of claim 14, further comprising: detecting an update to a target node of the plurality of target nodes of the host computer network; and updating a corresponding test node of the plurality of cloned nodes to reflect the update to the target node.
 27. A computer-implemented method comprising: receiving, from at least one first sensor coupled to a host computer network, first network flow records based on first network traffic involving one or more of a plurality of target nodes of the host computer network; receiving, from at least one second sensor coupled to a test computer network, second network flow records based on second network traffic involving one or more of a plurality of cloned nodes of the test computer network, wherein the plurality of cloned nodes correspond to at least some of the plurality of target nodes of the host computer network, wherein the test computer network has no network connectivity to the host computer network, and wherein the second network traffic includes malicious network traffic; merging the first network flow records and the second network flow records to obtain merged network flow records; and using the merged network flow records to train at least one model used to identify instances of malicious network traffic.
 28. The computer-implemented method of claim 27, wherein a network flow record of the first network flow records and the second network flow records corresponds to a communication between a first target node and a second target node, and wherein the network flow record identifies one or more of: an initiating node, a receiving node, a length of time of associated with the communication, a number of data packets associated with the communication, a size of the communication, MAC addresses associated with the first target node and the second target node, and IP addresses associated with the first target node and the second target node.
 29. The computer-implemented method of claim 27, wherein the merged network flow records appear to originate from one or more of the plurality of target nodes of the host computer network.
 30. The computer-implemented method of claim 27, wherein a detection processing pipeline including a plurality of machine learning models uses the merged network flow records to train the at least one model, each of the plurality of machine learning models used to identify one or more particular types of malicious network traffic. 